NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION
SC-3(3) — Minimize Nonsecurity Functionality
Minimize the number of nonsecurity functions included within the isolation boundary containing security functions.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
No related controls listed
Supplemental Guidance
Where it is not feasible to achieve strict isolation of nonsecurity functions from security functions, it is necessary to take actions to minimize nonsecurity-relevant functions within the security function boundary. Nonsecurity functions contained within the isolation boundary are considered security-relevant because errors or malicious code in the software can directly impact the security functions of systems. The fundamental design objective is that the specific portions of systems that provide information security are of minimal size and complexity. Minimizing the number of nonsecurity functions in the security-relevant system components allows designers and implementers to focus only on those functions which are necessary to provide the desired security capability (typically access enforcement). By minimizing the nonsecurity functions within the isolation boundaries, the amount of code that is trusted to enforce security policies is significantly reduced, thus contributing to understandability.
Practitioner Notes
Keep the security boundary as lean as possible. The less non-security code running inside the trusted security perimeter, the smaller the attack surface.
Example 1: On your domain controllers, remove all unnecessary roles and features — no web servers, no file shares, no print services. The only software running should be Active Directory, DNS for AD, and the security agent. Use Server Core installations to minimize the OS footprint.
Example 2: On your firewall appliances, disable any optional modules you do not use — VPN concentrator features, web filtering, application proxying — if they are not required. Each extra feature is extra code inside your security boundary that could be exploited.